MongoDB日常运维之用户管理

MongoDB 数据库默认是没有用户名及密码的，即无权限访问限制。为了方便数据库的管理和安全，需创建数据库用户。

1，用户的权限

用户中权限的说明：

权限	说明
Read	允许用户读取指定数据库
readWrite	允许用户读写指定数据库
dbAdmin	允许用户在指定数据库中执行管理函数，如索引创建、删除，查看统计或访问 system.profile
userAdmin	允许用户向 system.users 集合写入，可以找指定数据库里创建、删除和管理用户
clusterAdmin	只在 admin 数据库中可用，赋予用户所有分片和复制集相关函数的管理权限。
readAnyDatabase	只在 admin 数据库中可用，赋予用户所有数据库的读权限
readWriteAnyDatabase	只在 admin 数据库中可用，赋予用户所有数据库的读写权限
userAdminAnyDatabase	只在 admin 数据库中可用，赋予用户所有数据库的 userAdmin 权限
dbAdminAnyDatabase	只在 admin 数据库中可用，赋予用户所有数据库的 dbAdmin 权限。
root	只在 admin 数据库中可用。超级账号，超级权限

更多关于用户权限的说明参照：https://docs.mongodb.com/manual/core/security-built-in-roles/

用户创建语法：

{
user: "<name>",
pwd: "<cleartext password>",
customData: { <any information> },
roles: [
{ role: "<role>",
db: "<database>" } | "<role>",
...
]
}

语法说明：

user 字段：用户的名字;
pwd 字段：用户的密码;
cusomData 字段：为任意内容，例如可以为用户全名介绍;
roles 字段：指定用户的角色，可以用一个空数组给新用户设定空角色；
roles 字段：可以指定内置角色和用户定义的角色。

2，创建管理员用户

到这里专门讲解用户管理了，因此配置当中开启用户认证，配置信息如下：

[root@mongodb bin]$cat mongodb.conf
#数据存储目录
dbpath=/usr/local/mongodb/data/db
#日志文件目录
logpath=/usr/local/mongodb/logs/mongodb.log
#后台运行
fork=true
auth=true
bind_ip=0.0.0.0
[root@mongodb bin]$systemctl restart mongod
[root@mongodb bin]$systemctl status mongod

进入管理数据库

[root@mongodb bin]$mongo
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("56712ce5-d30a-421f-b447-0eea5294aafb") }
MongoDB server version: 4.0.10
> use admin

1，创建管理用户，root 权限

> use admin
switched to db admin
> db.createUser({user: "root",pwd: "root",roles: [ { role: "root", db: "admin" } ]})
Successfully added user: {"user" : "root","roles" : [{"role" : "root","db" : "admin"}]
}

注意：

创建管理员角色用户的时候，必须到 admin 下创建。

删除的时候也要到相应的库下操作。

验证用户是否能用

> db.auth("root","root")
1  # 返回 1 即为成功

2，查看创建的管理员用户

一个常见的报错：

> show users
2019-07-03T14:33:49.060+0800 E QUERY    [js] Error: command usersInfo requires authentication :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DB.prototype.getUsers@src/mongo/shell/db.js:1763:1
shellHelper.show@src/mongo/shell/utils.js:859:9
shellHelper@src/mongo/shell/utils.js:766:15
@(shellhelp2):1:1

这种报错常常出现在没有授权的情况下，刚刚也只是创建了对应的用户名以及角色，但是还没有通过 root 用户进行登陆。

> db.auth("root","root")
1
> show users
{"_id" : "admin.root","userId" : UUID("fa320150-781c-4a07-b427-c3a42f360133"),"user" : "root","db" : "admin","roles" : [{"role" : "root","db" : "admin"}],"mechanisms" : ["SCRAM-SHA-1","SCRAM-SHA-256"]
}

3，登陆数据库

注意：用户在哪个数据库下创建的，最后加上什么库，这里自然选择 admin 库。

方法一：命令行中进行登陆

[root@mongodb bin]$mongo -uroot -proot admin
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("3f5eda3b-89da-4ef5-bcb2-022bc0517c11") }
MongoDB server version: 4.0.10
Server has startup warnings:
2019-07-03T15:39:36.265+0800 I CONTROL  [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-03T15:39:36.265+0800 I CONTROL  [initandlisten]
>

方法二：在数据库中进行登陆验证：

[root@mongodb bin]$ mongo
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("896ba84c-3127-4ac1-85a9-ca4f4da3e60c") }
MongoDB server version: 4.0.10
> use admin
switched to db admin
> db.auth("root","root")
1
> show tables
system.users
system.version

正常登陆之后，再次查看用户：

> show users
{"_id" : "admin.root","userId" : UUID("fa320150-781c-4a07-b427-c3a42f360133"),"user" : "root","db" : "admin","roles" : [{"role" : "root","db" : "admin"}],"mechanisms" : ["SCRAM-SHA-1","SCRAM-SHA-256"]
}

4，忘记管理员密码怎么办

有时候可能会忘记管理员密码，需要对其进行重置，这个时候，有两种方式可以更新管理员密码。

如果连用户名都忘记了，那么我们首先需要更改 MongoDB 的配置，去掉用户名密码认证的功能，然后重启。

[root@mongodb bin]$cat mongodb.conf
#数据存储目录
dbpath=/usr/local/mongodb/data/db
#日志文件目录
logpath=/usr/local/mongodb/logs/mongodb.log
#后台运行
fork=true
auth=false
bind_ip=0.0.0.0
[root@mongodb bin]$systemctl restart mongod
[root@mongodb bin]$systemctl status mongod

然后使用 mongo 命令进入到数据库，进行简单查询：

[root@localhost bin]$mongo
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("3e0268c2-7e34-4a61-947d-f8e2368640f5") }
MongoDB server version: 4.0.10
Server has startup warnings:
2019-07-04T17:54:54.016+0800 I CONTROL  [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T17:54:54.016+0800 I CONTROL  [initandlisten]
> use admin
switched to db admin
> show users
{"_id" : "admin.root","userId" : UUID("c8514da6-4484-4036-9c13-b5deeb449575"),"user" : "root","db" : "admin","roles" : [{"role" : "root",    #这里就可以判断角色为root的账号名字也是root"db" : "admin"}],"mechanisms" : ["SCRAM-SHA-1","SCRAM-SHA-256"]
}
> show tables   #或者通过查询表来得知
system.users
system.version
> db.system.users.find()    #查询user表
{ "_id" : "admin.root", "userId" : UUID("c8514da6-4484-4036-9c13-b5deeb449575"), "user" : "root", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "SxO3kQwjFX8833lnQXQKbw==", "storedKey" : "1LQVQGW3ScF8WC0iCSMUJ5Iokpc=", "serverKey" : "t2PSzcZSE1KFzMXXK4BmxfPno9s=" }, "SCRAM-SHA-256" : { "iterationCount" : 15000, "salt" : "XDCd8GfHOtBiZnC6Eafx37aUV+2lO9EZbWl9rQ==", "storedKey" : "ZYHs6Umf0bVP8uofPGlcAl5uFzzQWovc4oczHjckmBs=", "serverKey" : "apVEilrpFXVAfBMMCwiIHl7H4bdnd6xm6KN88fXYJWo=" } }, "roles" : [ { "role" : "root", "db" : "admin" } ] }

得知管理员用户的名称为 root 之后，就能够进行密码更新的操作了。

利用

db.changeUserPassword

[root@localhost bin]$mongo
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("3e0268c2-7e34-4a61-947d-f8e2368640f5") }
MongoDB server version: 4.0.10
Server has startup warnings:
2019-07-04T17:54:54.016+0800 I CONTROL  [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T17:54:54.016+0800 I CONTROL  [initandlisten]
> use admin
switched to db admin
> db.changeUserPassword('root','test1')

然后重新开启用户认证，重启验证。

[root@mongodb bin]$cat mongodb.conf
#数据存储目录
dbpath=/usr/local/mongodb/data/db
#日志文件目录
logpath=/usr/local/mongodb/logs/mongodb.log
#后台运行
fork=true
auth=true
bind_ip=0.0.0.0
[root@mongodb bin]$systemctl restart mongod
[root@mongodb bin]$systemctl status mongod

登陆一下：

[root@localhost bin]$mongo -uroot -ptest1 admin
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("7ebe8a49-a750-46b1-a59e-c95abc0d7401") }
MongoDB server version: 4.0.10
Server has startup warnings:
2019-07-04T18:06:24.623+0800 I CONTROL  [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T18:06:24.623+0800 I CONTROL  [initandlisten]
> db
admin
> show users
{"_id" : "admin.root","userId" : UUID("c8514da6-4484-4036-9c13-b5deeb449575"),"user" : "root","db" : "admin","roles" : [{"role" : "root","db" : "admin"}],"mechanisms" : ["SCRAM-SHA-1","SCRAM-SHA-256"]
}

3，按生产需求创建应用用户

因为目前用户规划都还比较简单，因此创建用户的时候，都是基于 admin 来进行。

1，创建某库的读写用户

创建 test 用户，权限为读写

[root@mongodb bin]$mongo -uroot -proot admin    #使用admin登陆
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("3f5eda3b-89da-4ef5-bcb2-022bc0517c11") }
MongoDB server version: 4.0.10
Server has startup warnings:
2019-07-03T15:39:36.265+0800 I CONTROL  [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-03T15:39:36.265+0800 I CONTROL  [initandlisten]
> use eryajf    #一定要注意，给哪个库授权就要先切换到对应的库，不然这个用户将无法登陆
> db.createUser({user: "test",pwd: "test",roles: [ { role: "readWrite", db: "eryajf" } ]})  #创建读写用户
Successfully added user: {"user" : "test","roles" : [{"role" : "readWrite","db" : "eryajf"}]
}
> show users    #查看用户
{"_id" : "eryajf.test","userId" : UUID("3bd64373-13c5-4a47-95f9-92a2433c0bf4"),"user" : "test","db" : "eryajf","roles" : [{"role" : "readWrite","db" : "eryajf"}],"mechanisms" : ["SCRAM-SHA-1","SCRAM-SHA-256"]
}

注意：给哪个库创建用户，授权用户，都要先use到对应的库，否则将不生效，删除用户也是。

测试用户权限

[root@localhost bin]$mongo -utest -ptest eryajf
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/eryajf?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("dd97a5e3-9226-4a04-8221-dec566edc1c3") }
MongoDB server version: 4.0.10
> db.createCollection('d')
{ "ok" : 1 }
> db.getCollectionNames()
[ "a", "b", "c", "d" ]

2，创建对某库的只读用户

在 eryajf 库创建只读用户 test

[root@localhost bin]$mongo -uroot -proot admin
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("b1d0e8f4-6c13-4c27-abfa-b8035f983453") }
MongoDB server version: 4.0.10
Server has startup warnings:
2019-07-04T00:16:54.097+0800 I CONTROL  [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T00:16:54.097+0800 I CONTROL  [initandlisten]
> use eryajf    #切换到对应库
> db.createUser({user: "test1",pwd: "test1",roles: [ { role: "read", db: "eryajf" } ]}) #创建对应用户
Successfully added user: {"user" : "test1","roles" : [{"role" : "read","db" : "eryajf"}]
}
> show users    #查看用户
{"_id" : "eryajf.test","userId" : UUID("3bd64373-13c5-4a47-95f9-92a2433c0bf4"),"user" : "test","db" : "eryajf","roles" : [{"role" : "readWrite","db" : "eryajf"}],"mechanisms" : ["SCRAM-SHA-1","SCRAM-SHA-256"]
}
{"_id" : "eryajf.test1","userId" : UUID("eb2e54b8-a036-40a8-b8d4-5c8f5548ad25"),"user" : "test1","db" : "eryajf","roles" : [{"role" : "read","db" : "eryajf"}],"mechanisms" : ["SCRAM-SHA-1","SCRAM-SHA-256"]
}

[root@localhost bin]$mongo -utest1 -ptest1 eryajf
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/eryajf?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("cca6f744-47e6-4bcb-8682-8c1af7080108") }
MongoDB server version: 4.0.10
> db.getCollectionNames()   #可以正常查询
[ "a", "b", "c", "d" ]
> db.createCollection('e')  #创建报错
{"ok" : 0,"errmsg" : "not authorized on eryajf to execute command { create: \"e\", lsid: { id: UUID(\"cca6f744-47e6-4bcb-8682-8c1af7080108\") }, $db: \"eryajf\" }","code" : 13,"codeName" : "Unauthorized"
}
>

3，创建对多库不同权限的用户

创建对 test 为读写权限，对 eryajf 库为只读权限的用户

[root@localhost bin]$mongo -uroot -proot admin
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("c5e35008-0a1e-4513-9394-947e49f67f81") }
MongoDB server version: 4.0.10
Server has startup warnings:
2019-07-04T00:16:54.097+0800 I CONTROL  [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T00:16:54.097+0800 I CONTROL  [initandlisten]
> use test  #切换到test库
switched to db test
> db.createUser({user: "app",pwd: "app",roles: [ { role: "readWrite", db: "test" },{ role: "read", db: "eryajf" }]})    #创建用户
Successfully added user: {"user" : "app","roles" : [{"role" : "readWrite","db" : "test"},{"role" : "read","db" : "eryajf"}]
}
> show users    #查看用户
{"_id" : "test.app","userId" : UUID("e25d6c21-190a-44e4-8868-868a474fcf12"),"user" : "app","db" : "test","roles" : [{"role" : "readWrite","db" : "test"},{"role" : "read","db" : "eryajf"}],"mechanisms" : ["SCRAM-SHA-1","SCRAM-SHA-256"]
}

注意，这个时候创建的用户，是基于 test 库创建的，那么后续登陆等操作，也都需要跟上 test 库，而不能够跟上 eryajf 的库。如果跟上 eryajf 的库，将会报如下错误：

[root@localhost bin]$mongo -uapp -papp eryajf
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/eryajf?gssapiServiceName=mongodb
2019-07-04T00:54:54.617+0800 E QUERY    [js] Error: Authentication failed. :
connect@src/mongo/shell/mongo.js:344:17
@(connect):2:6
exception: connect failed

查看并测试用户

[root@localhost bin]$mongo -uapp -papp test
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/test?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("8cef0c4a-3f3d-4802-8926-79aea22db826") }
MongoDB server version: 4.0.10
> db.createCollection('a')
{ "ok" : 1 }
> db.getCollectionNames()
[ "a" ]
> use eryajf
switched to db eryajf
> db.getCollectionNames()
[ "a", "b", "c", "d" ]

4，更改用户权限

其实更改权限无非就是更改用户的角色，因为在 MongoDB 中，角色决定了不同用户的不同权限。

先查看一下当前用户的角色

[root@localhost bin]$mongo -uroot -ptest1 admin
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("dbda85c8-7a90-4143-a31c-7a8ea58b80cc") }
MongoDB server version: 4.0.10
Server has startup warnings:
2019-07-04T18:06:24.623+0800 I CONTROL  [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T18:06:24.623+0800 I CONTROL  [initandlisten]
> use eryajf
switched to db eryajf
> show users
{"_id" : "eryajf.test","userId" : UUID("3bd64373-13c5-4a47-95f9-92a2433c0bf4"),"user" : "test","db" : "eryajf","roles" : [{"role" : "readWrite",   #可以看到test用户是readWrite的角色"db" : "eryajf"}],"mechanisms" : ["SCRAM-SHA-1","SCRAM-SHA-256"]
}
{"_id" : "eryajf.test1","userId" : UUID("eb2e54b8-a036-40a8-b8d4-5c8f5548ad25"),"user" : "test1","db" : "eryajf","roles" : [{"role" : "read",    #可以看到test1用户是read的角色"db" : "eryajf"}],"mechanisms" : ["SCRAM-SHA-1","SCRAM-SHA-256"]
}

更改用户角色

[root@localhost bin]$mongo -uroot -ptest1 admin
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("dbda85c8-7a90-4143-a31c-7a8ea58b80cc") }
MongoDB server version: 4.0.10
Server has startup warnings:
2019-07-04T18:06:24.623+0800 I CONTROL  [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T18:06:24.623+0800 I CONTROL  [initandlisten]
> use eryajf
switched to db eryajf
> db.updateUser("test",{roles:[{role:"dbAdmin",db:"eryajf"}]})
> show users
{"_id" : "eryajf.test","userId" : UUID("3bd64373-13c5-4a47-95f9-92a2433c0bf4"),"user" : "test","db" : "eryajf","roles" : [{"role" : "dbAdmin", #可以看到权限已经更新"db" : "eryajf"}],"mechanisms" : ["SCRAM-SHA-1","SCRAM-SHA-256"]
}
{"_id" : "eryajf.test1","userId" : UUID("eb2e54b8-a036-40a8-b8d4-5c8f5548ad25"),"user" : "test1","db" : "eryajf","roles" : [{"role" : "read","db" : "eryajf"}],"mechanisms" : ["SCRAM-SHA-1","SCRAM-SHA-256"]
}

5，删除用户

删除 app 用户：先登录到 admin 数据库

[root@localhost bin]$mongo -uroot -proot admin
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("6edeba63-e2bf-477c-a098-965767d105b6") }
MongoDB server version: 4.0.10
Server has startup warnings:
2019-07-04T00:16:54.097+0800 I CONTROL  [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T00:16:54.097+0800 I CONTROL  [initandlisten]
>

进入 test 库删除 app 用户

> use test
switched to db test
> show users
{"_id" : "test.app","userId" : UUID("e25d6c21-190a-44e4-8868-868a474fcf12"),"user" : "app","db" : "test","roles" : [{"role" : "readWrite","db" : "test"},{"role" : "read","db" : "eryajf"}],"mechanisms" : ["SCRAM-SHA-1","SCRAM-SHA-256"]
}
> db.dropUser("app")
true
> show users

到这里，基本上能够体会到，MongoDB 当中那些关于角色用户权限规则的定义与配置了，MongoDB 自身已经定义好了许多个角色，这些角色针对全局，而在创建用户的时候，用户，角色，库这三个概念又是分离的，因此要多多体会，去理解三者的关系。

6，其他授权

创建 app 数据库的管理员：先登录到 admin 数据库

[root@localhost bin]$mongo -uroot -proot admin
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("572862cc-456d-4f5f-98ea-e65054411de6") }
MongoDB server version: 4.0.10
Server has startup warnings:
2019-07-04T00:16:54.097+0800 I CONTROL  [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T00:16:54.097+0800 I CONTROL  [initandlisten]
> use app
switched to db app
> db.createUser({user: "admin",pwd: "admin",roles: [ { role: "dbAdmin", db: "app" } ]})
Successfully added user: {"user" : "admin","roles" : [{"role" : "dbAdmin","db" : "app"}]
}
> show users
{"_id" : "app.admin","userId" : UUID("01e196c8-2119-488b-9d11-b969db266aea"),"user" : "admin","db" : "app","roles" : [{"role" : "dbAdmin","db" : "app"}],"mechanisms" : ["SCRAM-SHA-1","SCRAM-SHA-256"]
}

创建 app 数据库读写权限的用户并具有 clusterAdmin 权限，要当心，这个用户的权限可是相当大的。

[root@localhost bin]$mongo -uroot -proot admin
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("572862cc-456d-4f5f-98ea-e65054411de6") }
MongoDB server version: 4.0.10
Server has startup warnings:
2019-07-04T00:16:54.097+0800 I CONTROL  [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T00:16:54.097+0800 I CONTROL  [initandlisten]
> use app
switched to db app
> db.createUser({user: "super-app",pwd: "super-app",roles: [ { role: "readWrite", db: "app" },{ role: "clusterAdmin", db: "admin" }]})
Successfully added user: {"user" : "super-app","roles" : [{"role" : "readWrite","db" : "app"},{"role" : "clusterAdmin","db" : "admin"}]
}
> show users
{"_id" : "app.super-app","userId" : UUID("7533af91-3063-4460-8cb5-f77061eb5680"),"user" : "super-app","db" : "app","roles" : [{"role" : "readWrite","db" : "app"},{"role" : "clusterAdmin","db" : "admin"}],"mechanisms" : ["SCRAM-SHA-1","SCRAM-SHA-256"]
}

4，官方文档

如果想要更加深入钻研用户权限问题，可以参考官方文档：https://docs.mongodb.com/manual/reference/method/js-user-management/